“CAPTCHA” ? What’s this? Everybody already used CAPTCHA (or “Completely Automated Turing Test To Tell Computers and Humans Apart“). You know those pictures made of deformed letters that you need to understand and type in a specific field to perform some operations like creating some accounts, authenticating, etc. Almost all well-known service providers or applications use them: Google, Yahoo!, PayPal, phpBB. Their goal is easy: forbid bots (computers) to waste resources.
The problem is that computers can now “read” them… Most of the CAPTCHA have been hacked! (even the Yahoo! one has been hacked). On sites like captchakiller.com (free!) , even API are available to automatically decode CAPTCHA! They say that the service is provided to help blind people to access resources protected by CAPTCHA on the Internet but how to prevent misusage of this service?
Google recently introduced audio CAPTCHA. Check this audio example. It is a step further but audio can also be converted to text (speed recognition). The sound can be distorded, background noise can be added but new algorithms will always be found to circumvent the CAPTCHA!
In July 2006 (is this blog so old? ;), I already posted an article about another way to distinguish humans and bots: The goal was to select the three “hot” girls between nine random pictures (the project was called HotCaptcha).
Microsoft announced a new solution, more “ethical”, called the Asirra project. Assira means “Animal Species Image Recognition for Restricting Access“).
It’s easy: Pictures of animal are displayed and you just have to select all cat pictures!
How much time this method will resist? Nobody knows but for sure it will be broken! And even if not broken, some bad guys use the manual way to bypass CAPTCHA. Instead of letting the computer do the job, real humans do it and… they are paid for this business! All combinations of CAPTCHA are stored in databases and ready to be used!
Finally, why loose time to decode CAPTCHA when simple users make it for you? End of 2007, a new worm was spread accross the Internet: Trojan.Captchar.A
It displayed a nice girl and asked you to decode CAPTCHA to strip her. Decoded strings were recorded and sent to a central server. Quick and efficient!
Another solution would be to create CAPTCHA based on high-level questions related to the website or forum content. Why not some tests like this one during the creation of a new account on a forum about mathematics? 😉